System Requirements

Supported Secured Targets

A secured target is a database or nondatabase product that you secure using either the Audit Vault Agent, the Database Firewall, or both. If the secured target is a database, you can monitor or block its incoming SQL traffic with the Database Firewall. If the secured target, whether or not it is a database, is supported by the Audit Vault Agent, you can deploy the agent on that target's host computer and collect audit data from the internal audit trail tables and operating system audit trail files.

Oracle AVDF supports various secured target products out of the box in the form of built-in plug-ins. See the following for information about plug-ins and currently supported secured target versions:

Integrations With Third-Party Products

You can integrate Oracle AVDF with the following third-party products:

BIG-IP Application Security Manager (ASM): This product from F5 Networks, Inc. is an advanced Web Application Firewall (WAF) that provides comprehensive edge-of-network protection against a wide range of Web-based attacks. It analyzes each HTTP and HTTPS request, and blocks potential attacks before they reach the Web application server. For more information, see Chapter 9, "Configuring Integration with BIG-IP ASM."

The process flow for the Audit Vault and Database Firewall components is as follows:

For each secured target, the Audit Vault Agent is deployed, and/or the Database Firewall is placed in the network and configured to protect that target.

If the agent is deployed, Oracle AVDF is configured to collect the appropriate audit trail from the secured target. If the Database Firewall is protecting the target, a firewall policy is applied for that target.

You can configure multiple secured targets from different database product families, as well as nondatabase products, using the same Audit Vault Server.

The Audit Vault Agent retrieves the audit data from secured targets and sends this data to the Audit Vault Server.

The Database Firewall monitors SQL traffic to database secured targets and sends data to the Audit Vault Server according to a firewall policy. The firewall can be configured to monitor and raise alerts only, or to block SQL traffic and optionally substitute statements according to a policy.

The Audit Vault Server stores the Oracle AVDF configuration data, and the collected audit data, in its internal data warehouse.

Once the audit data is in the data warehouse, an auditor can generate and customize reports, as well as configure email notifications, on the Audit Vault Server.

The Audit Vault Server

The Audit Vault Server contains the tools necessary to configure Audit Vault and Database Firewall components, and to collect audit data from, and apply firewall policies to, your secured targets. Any settings that you, the administrator, create, such as security settings, are contained in this server.

The Audit Vault Server also contains an Oracle database, and makes it available to reporting tools through a data warehouse.

This embedded Oracle Database has Database Vault automatically enabled and configured. Database Vault provides greater security by restricting access to sensitive areas of the Oracle Database for any user, including those with administrative access.

Note:

You should not attempt to administer or set password policies for the Oracle Database embedded in the Audit Vault Server.

The Audit Vault Server provides the following services:

Audit data collection and lifecycle management

Audit Vault Agent management

Database Firewall management

Audit and firewall policy management

Alerting and notification management

User entitlement auditing

Stored procedure auditing (SPA)

Reporting

Archiving data

High availability mode

Published data warehouse schema that can be used with reporting tools such as Oracle Business Intelligence Publisher to create customized reports

User access management

Third party integrations

The Database Firewall

The Database Firewall is a dedicated server that runs the Database Firewall software. Each Database Firewall monitors SQL traffic on the network from database clients to secured target databases. The Database Firewall then sends SQL data, according to a defined firewall policy, to the Audit Vault Server to be analyzed and presented in reports.

An Oracle AVDF auditor can create firewall policies that define rules for how the Database Firewall handles SQL traffic to the database secured target. The firewall policy specifies the types of alerts to be raised in response to specific types of SQL statements, and when to log specific statements. The policy also specifies when to block potentially harmful statements, and optionally substitute harmless SQL statements for blocked statements. To do this, the Database Firewall can operate in one of two monitoring modes:

DAM Mode: Database Activity Monitoring. When in this mode, the Database Firewall applies rules in a firewall policy to monitor and raise alerts about potentially harmful SQL traffic to your secured target database, but it does not block or substitute SQL statements.

In order to control how the Database Firewall protects a database secured target, you configure enforcement points for each secured target. The enforcement point specifies whether the firewall operates in DPE or DAM mode, which firewall policy to apply to the secured target, and other settings. For more information, see "Configuring Enforcement Points".

The Database Firewall can be placed in your network in various ways: inline, out of band, or configured as a proxy. For more information, see:

The Audit Vault Agent

The Audit Vault Agent retrieves the audit trail data from a secured target database and sends it to the Audit Vault Server. If the Audit Vault Agent is stopped, then the secured target database will still create an audit trail (assuming auditing is enabled). The next time you restart the Audit Vault Agent, the audit data that had been accumulating since the Audit Vault Agent was stopped is retrieved.

You configure one Audit Vault Agent for each host and one or more audit trails for each individual secured target database. For example, if a host contains four databases, then you would configure one Audit Vault Agent for that host and one or more audit trails for each of the four databases. The number and type of audit trails that you configure depends on the secured target database type and the audit trails that you want to collect from it. See Table B-13 for information on the types of audit trails that can be configured for each secured target type.

You can create the Audit Vault Agent on one computer and manage multiple audit trails from there. For example, suppose you have 25 secured target databases on 25 servers. You must configure an audit trail for each of these secured target databases, but you do not need to configure an Audit Vault Agent on each of the 25 servers. Instead, just create one Audit Vault Agent to manage the 25 audit trails. Be aware, however, that for Oracle Databases, you cannot use a remote Audit Vault Agent to collect audit data from users who have logged in with the SYSDBA or SYSOPER privilege because an audit trail is on to the local file system, and therefore you need file system access.

The Audit Vault Agent also contains Host Monitor capability, which enables AVDF to directly monitor SQL traffic in a database. This can be useful for monitoring many small databases centrally. See "Enabling and Using Host Monitoring" for detailed information.

Placing Oracle AVDF Within Your Enterprise Architecture

When you deploy Oracle AVDF you set up the Audit Vault Server, then you can choose to deploy the Audit Vault Agent only, the Database Firewall only, or both.

Figure 1-2 shows Audit Vault and Database Firewall in an enterprise environment. This figure shows only one secured target for simplicity. A typical architecture will have many secured targets such as databases or nondatabase secured targets.

An Audit Vault Agent is deployed on the host computer of the secured target, which in this case, is a database that is also protected by the Database Firewall. The Database Firewall has two connections, one for management and one for monitoring database traffic. They are treated the same way in the switch.

Database Firewalls use different network ports (network devices, and therefore, network paths) to connect to the Audit Vault Server. The Network Switch in this diagram shows two port connections for each of the Database Firewalls.

The Database Firewall can connect to the database network in one of three ways:

Through a hub, tap or network switch configured with a "spanning port": A spanning port is also known as a "mirror port" on some switches. This method sends a copy of all database traffic to the Database Firewall. This configuration enables a Database Firewall to operate as an out-of-band audit and monitoring system, and produce warnings of potential attacks, but it cannot block potentially harmful traffic.

For more information about connecting hubs, taps or switches, see the following Web site:

Inline between the database clients and database: This method enables Database Firewall to both block potential attacks and/or operating as an audit or monitoring system.

As a proxy: Using this method, the Database Firewall acts as a traffic proxy, and the database client applications connect to the database using the Database Firewall's proxy IP and port address.

High-Availability Modes

You can configure pairs of Database Firewalls or pairs of Audit Vault Servers, or both, to provide a high-availability system architecture. These pairs are known as resilient pairs. The resilient pair configuration works in Database Activity Monitoring (DAM) mode only. See "The Database Firewall" for information on DAM mode.

Figure 1-3 shows a pair of Database Firewalls and a pair of Audit Vault Servers being used to protect a single database.

There are two administrator roles in Oracle AVDF, with different levels of access to secured targets:

Super Administrator - This role can create other administrators or super administrators, has access to all secured targets, and grants access to specific secured targets and groups to an administrator.

Administrator - Administrators can only see data for secured targets to which they have been granted access by a super administrator.

Summary of Configuration Steps

With Oracle AVDF, you can deploy the Audit Vault Agent, the Database Firewall or both. This section provides suggested high-level steps for configuring the Oracle AVDF system when you are:

After you have configured the system as an administrator, the Oracle AVDF auditor creates and provisions audit policies for Oracle Database secured targets, and generates various reports for other types of secured targets.

Configuring Oracle AVDF and Deploying the Database Firewall

This is a general workflow for configuring Oracle AVDF and deploying the Database Firewall:

Configure the Database Firewall basic settings, and associate the firewall with the Audit Vault Server. Then configure the firewall on your network. See "Configuring the Database Firewall".

Register the secured targets you are monitoring with the Database Firewall in the Audit Vault Server. Then configure enforcement points for these secured targets. Optionally, if you want to also monitor database response to SQL traffic, use the scripts and configuration steps to do so. See "Configuring Secured Targets, Audit Trails, and Enforcement Points".

Step 2: Plan the Database Firewall Configuration

If you are using Database Firewalls, plan how many you will need, which secured target databases they will protect, where to place them in the network, whether they will be in DAM (monitoring only) or DPE (monitoring and blocking) mode, and whether to configure a resilient pair of firewalls. Also plan whether to change the Database Firewall network configuration specified during installation.

Step 3: Plan the Audit Vault Agent Deployments

If you are deploying the Audit Vault Agent(s), determine the secured targets for which you want to collect audit data, and identify their host computers. You will register these hosts with Oracle AVDF and deploy the Audit Vault Agent on each of them. Then you will register each secured target in the Audit Vault Server.

Step 4: Plan the Audit Trail Configurations

If you are deploying the Audit Vault Agent to collect audit data, you will need to configure audit trails. This section provides guidelines for planning the audit trail configuration for the secured targets from which you want to extract audit data. The type of audit trail that you select depends on the secured target type, and in the case of an Oracle Database secured target, the type of auditing that you have enabled in the Oracle Database.

Step 6: Plan for High Availability

Step 7: Plan User Accounts and Access Rights

As a super administrator, you can create other super administrators and administrators. Super administrators will be able to see and modify any secured target. Administrators will have access to the secured targets you allow them to access. In this planning step, determine how many super administrators and administrators you will create accounts for, and to which secured targets the administrators will have access.

Firewalls - Provides menus for registering Database Firewalls in the Audit Vault Server, and creating resilient pairs of firewalls for high availability.

Hosts - Provides menus for registering and managing host computers (where the agent is deployed), and downloading and activating the Audit Vault Agent on those hosts.

Settings - Provides menus for managing security, archiving, and system settings. From here, you can also download the AVCLI command line utility.

Working with Lists of Objects in the UI

Throughout the Audit Vault Server UI, you will see lists of objects such as users, secured targets, audit trails, enforcement points, etc. You can filter and customize any of these lists of objects in the same way as you can for Oracle AVDF reports. This section provides a summary of how you can create custom views of lists of objects. For more detailed information, see the Reports chapter of Oracle Audit Vault and Database Firewall Auditor's Guide.

To filter and control the display of lists of objects in the Audit Vault Server UI:

For any list (or report) in the UI, there is a search box and Actions menu:

If you see a message saying that there is a problem with the Web site security certificate, this could be due to a self-signed certificate. Click the Continue to this website (or similar) link.

In the Login page, enter your user name and password, and then click Login.

The Dashboard page appears.

Using the Database Firewall UI

An administrator uses the Database Firewall UI to configure network, services, and system settings on the Database Firewall server, identify the Audit Vault Server that will be managing each firewall, and configure network traffic sources so that the firewall can monitor or block threats to your secured target databases.